aicoin-market
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The file
lib/defaults.jsoncontains hardcodedaccessKeyIdandaccessSecretvalues. These are functional API keys for the service's free tier. - [COMMAND_EXECUTION]: The script
scripts/coin.mjsincludes anupdate_keyfunction that useswriteFileSyncto modify local.envconfiguration files on the user's system. - [PROMPT_INJECTION]: The skill ingests external content from news flashes and Twitter feeds in
scripts/news.mjsandscripts/twitter.mjs, which constitutes a surface for indirect prompt injection.
Audit Metadata